fix: Add update-ca-trust workaround for unprivileged containers

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: davdhacs

image/scanner/scripts/import-additional-cas

@@ -19,4 +19,6 @@ copy_existing /usr/local/share/ca-certificates
 # Copy the custom trusted CA bundles injected by the Openshift Network Operator.
 copy_existing /etc/pki/injected-ca-trust
 
-update-ca-trust extract
+# The -o flag is required for running as an unprivileged user in containers.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240
+update-ca-trust extract -o /etc/pki/ca-trust/extracted

image/scanner/scripts/trust-root-ca

@@ -6,4 +6,7 @@ CA_PATH="/run/secrets/stackrox.io/certs/ca.pem"
 
 # For RHEL
 cp "${CA_PATH}" /etc/pki/ca-trust/source/anchors/root-ca.pem
-update-ca-trust
+
+# The -o flag is required for running as an unprivileged user in containers.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=2241240
+update-ca-trust extract -o /etc/pki/ca-trust/extracted